Search code examples
htmldemohtml-injections

HTML injection into someone else's website?


I've got a product that embeds into websites similarly to Paypal (customers add my button to their website, users click on this button and once the service is complete I redirect them back to the original website).

I'd like to demo my technology to customers without actually modifying their live website. To that end, is it possible to configure http://stackoverflow.myserver.com/ so it mirrors http://www.stackoverflow.com/ while seamlessly injecting my button?

Meaning, I want to demo the experience of using my button on the live website without actually re-hosting the customer's database on my server.

I know there are security concerns here, so feel free to mention them so long as we meet the requirements. I do not need to demo this for website that uses HTTPS.

More specifically, I would like to demonstrate the idea of financial bounties on Stackoverflow questions by injecting a Paypal button into the page. How would I demo this off http://stackoverflow.myserver.com/ without modifying https://stackoverflow.com/?

REQUEST TO REOPEN: I have reworded the question to be more specific per your request. If you still believe it is too broad, please help me understand your reasoning by posting a comment below.

UPDATE: I posted a follow-up challenge at How to rewrite URLs referenced by Javascript code?

UPDATE2: I discarded the idea of bookmarklets and Greasemonkey because they require customer-side installation/modification. We need to make the process as seamless as possible, otherwise many of get turned off by the process and won't let us pitch.


Solution

  • After playing with this for a very long time I ended up doing the following:

    1. Rewrite the HTML and JS files on the fly. All other resources are hosted by the original website.
    2. For HTML files, inject a <base> tag, pointing to the website being redirected. This will cause the browser to automatically redirect relative links (in the HTML file, CSS files, and even Flash!) to the original website.
    3. For the JS files, apply a regular expression to patch specific sections of code that point to the wrote URL. I load up the redirected page in a browser, look for broken links, and figure out which section of JS needs to be patched to correct the problem.

    This sounds a lot harder than it actually is. On average, patching each page takes less than 5 minutes of work.

    The big discovery was the <base> tag! It corrected the vast majority of links on my behalf.